Over the past six months, cybersecurity attacks have increased around theglobe, many of which have specifically impacted the health careindustry. Accordingto a 2017 Healthcare Breach Report released by dataprotection company Bitglass, 328 U.S. health care firms reporteddata breaches in 2016, up from 268.

|

This year, the following attacks occurred: (1) In February,Californian Hollywood Presbyterian Medical Center paid cyberattackers $17,000 in Bitcoins to regain control of its systems; (2)a month later, Alvaro Hospital Medical Center in San Diego wasattacked but refused to pay; (3) additionally, Merck andPennsylvania’s Heritage Valley Health System were attacked; and (4)in July, Caro Community Hospital Medical Clinic and Quick Care(both located in Caro, Michigan) were attacked.

|

This past May, international headlines were made when one of thelargest “ransomware” attacks on records aptly named “WannaCry,”“WCry” or “Wanna Decryptor” was transmitted via email targetingvulnerabilities in computer systems. During this attack, cyberattackers took over computers, encrypted information, then demandedpayment of $300 of Bitcoin per machine to unlock the devices.

|

The attack impacted 74 countries and a wide variety ofindustries. It affected some of the world’s largest institutionsand government agencies, including the United Kingdom’s NationalHealth Service, where 16 hospitals were hit. Since many of theEuropean hospital systems are centralized, the result wascrippling. For some reason, perhaps because the hospital systems inthe United States are less centralized, U.S. hospitals were notsignificantly impacted by this attack.

|

These attacks impacted health systems in a variety of ways,resulting in the inability of hospitals to provide health care tothe patients. Among other things, the attacks disabled thefacilities and inhibited the ability for doctors to access medicalrecords. Without access to medical records, hospitals could notaccess health insurance records to confirm coverage, and, moreimportantly, medical history could not be obtained, doctors couldnot prescribe new scripts or render services because they could notcheck for contraindications for adverse interactions or allergies.More minor complications resulted in the doctors’ inability toupdate records or communicate with other doctors.

|

Continued on next page >>>

|

There are problems that extend beyond the immediate impact. Thehackers can use or sell the stolen information to falsely obtainmedical procedures. Another potential harm is that individualscould potentially be blackmailed due to sensitive informationcontained in health records. Health care systems do not justcontain medical records; they contain Social Security numbers, bankstatements, financial history, driver’s licenses and information onspouses and guarantors. Unscrupulous third parties can also usethis information to falsify prescriptions, sell the scripts on theblack market, or obtain them for personal use.

The financial and operational risks from acyberattack would be exacerbated in bankruptcy, although to date sofar none have occurred post-petition. Moreover, the harmsidentified above could force an entity to contemplate or file forbankruptcy because of an influx of claims. WannaCry was theindirect result of a failure to perform certain simple upgrades andimplement patches. Thus, individuals who have had their privacybreached, or their personal data hacked, or utilized by thirdparties may have a basis to sue the medical facilities, or theirofficers or directors, for failing to take proper precautions.Patient injury or death due to compromised devices, systems ortechnology could lead to a potential rise in class actions andclaims against the facilities.

In the bankruptcy case 21st Oncology Holdings, pendingin the Southern District of New York, 17-22770 (RDD), a classaction was filed on behalf of over two million current and formerpatients of the debtor who had their personal informationcompromised while undergoing cancer treatment at the facility. Theclaims assert that the loss was due to the company’s failure toenforce sufficient security protocols and procedures and that thecompany did not discover the breach, but rather the FBI informedthe company that the information was posted on the Dark Web. Thevalidity of the claims is currently being litigated before theBankruptcy Court, but the existence of these claims suggests theymay have contributed to the bankruptcy filing.

|

The cost of these suits can be enormous: In the United States,HIPAA settlements totaled over $17 million from breaches ofconfidential information. In June, Anthem, the largest U.S. healthinsurance company, settled a multi-district lawsuit after thepersonal information of 78.8 million people was stolen during a2015 cyberattack for $115 million.

|

The concomitant loss of public confidence and trust when thesekinds of attacks occur often result in the loss of revenue from thepublic seeking alternative venues for treatment. Moreover,insurance companies may consider the failure to protect this data abasis to stop reimbursements. Loss of revenue may lead to loss ofindependent funding. Lenders to the facility may consider any orall of these to be a breach of an underlying loan covenant as aresult of disruption of operations and loss of patient information.All of these events may stress an already financially stressedhealth care provider.

|

Health care systems have an obligation to take reasonable careto protect private customer information. Focusing on these issuesis also part of the responsibility of the officers and directors ofa facility. Yet the cybersecurity protections do not seem to be inplace.

|

While health care providers are universally switching over toelectronic data, the security of this information has not matchedits growth. Financial services industries devote in excess of tenpercent of their annual IT budgets to cybersecurity while thehealth care industry is less than 5 percent. Given that thesefacilities often have outdated IT systems and a wealth ofconfidential patient data, hospitals remain a particularly temptingtarget.

|

As health care budgets shrink, health care providers must focuson preparing and protecting against further attacks. While it maynot be possible to replace all outdated equipment, some steps canbe taken. One thing is clear, as these attacks continue toincrease, the concomitant risk grows, leading a shaky industry toperhaps tip more into the insolvency zone.